The procedure is pretty much unchanged from the 1980s, when cashpoints first caught on.

You insert your card, which is something you have, and you type in your PIN, which is something you know, and then you can withdraw money.

As we know only too well, however, ATM cards can be skimmed, meaning that someone copies the data off your magnetic stripe and writes it onto another card that will work in place of yours.

In a way, that means that cash withdrawals are really only 1FA, protected by your PIN, because there may be multiple copies of your card floating around.

So, you may have wondered, especially if you’re a regular internet banker, why the ATM doesn’t add a stronger sort of second factor, for example by SMSing your phone a code that you type in after your PIN.

That would be great, wouldn’t it?

Heck, you wouldn’t even need to bother with your card, which would also reduce the chance of it being skimmed by a hidden magstripe reader at the ATM itself!

According to reports, US banks are starting to try out just such a system, starting with 2000 new “cardless” cash machines.

In fact, they’re going one step further, and getting rid of the PIN as well.

Well, sort of: there will be a PIN or password in the process, but you won’t type it in on the keypad at the ATM, where a crook could have hidden a tiny video camera to record the keys that you press.

How it works

As far as we can tell, the process will work like this:

You open an app on your phone and request a withdrawal.

Your financial institution replies with an authorisation, presumably in the form of a QR code.

You “show” the authorisation code to a scanner on the ATM, and out comes the cash.

It’s an interesting idea, and we’ve already mentioned three benefits, namely: your card can’t get skimmed at the ATM; your PIN can’t get recorded by any hidden cameras; and the authorisation code is a one-time deal, so it can’t be re-used.

We assume you’ll be able to prepare your transaction a short while in advance, for example in a well-lit coffee shop close to the ATM, and then turn up and withdraw your money really quickly and without having to concentrate on the ATM’s user interface, for a much better sense of physical security.

(The banks in this trial are claiming 10 seconds per withdrawal, instead of 30 to 40 seconds with a conventional card-and-PIN withdrawal.)

Is it safe?

But there are some downsides to the idea, too.

Firstly, you’ll almost certainly be relying on a dedicated mobile app that approves irreversible financial transactions. (Once you do the withdrawal, there’s no way for either party to cancel the transaction: it’s not just “like cash”, it is cash.)

As we’ve seen in recent years, mobile apps have had a chequered history when it comes to security, especially when it comes to detecting an imposter in the chain of events, for example by not detecting that the app had connected to a fake version of the bank’s official site.

Secondly, given that mobile phones aren’t immune to malware, there’s a risk that a crook could subvert a transaction as you carried it out. (Imagine malware that could snap a screenshot of the QR code just before you used it, for a waiting crook to deploy at a nearby ATM.)

Thirdly, there’s an interesting new angle for muggers: ATMs will become places where potential victims not only get their mobile phones out, but also unlock them ready for use.

In other words, as well as hitting you up for the cash you’re withdrawing, they could end up with your phone, unlocked and ready to use for free calls or to sell on to a data thief.

What about you?

How will Americans take to this new sort of phone banking?

Would you use it if one of these 2000 new ATMs were in your neck of the woods?

15 comments on “Would you use an ATM that didn’t need a card…*or* a PIN?”

If they displayed the code on the lock screen as for boarding cards then you wouldn’t need to unlock the phone – that’s more secure because, let’s face it, you’re going to unlock the phone anyway at the ATM. As for security – it would make sense to only authorise a specific ATM, perhaps with a location code like parking apps use. Or I would have thought that using NFC would be simpler and more secure though, rather than a QR code. And you could use your NFC-enabled wearable if you own one…
Downsides? Well, I always (ALWAYS) want a receipt slip and I suspect I wouldn’t get one. I also wonder what happens if you request a sum and your designated machine doesn’t have enough? Presumably it would tell you when you book your withdrawal and suggest an ATM that does? I’m not even sure if that IS a down side, come to think of it…

Exactly so. What if you don’t own a mobile phone, like me? Besides we have always had a system that didn’t need a card or a pin or a phone. It’s called a bank teller(ess). Although I must admit ATMs come in very handy when you’re travelling and don’t want to walk about with that enticing wad of cash in your pocket made up of 5 different currencies. If we are so concerned with ATM security, what about credit cards? They have the same, identical to the user, 2FA system.

In most of the world except for the USA, you don’t swipe your card any more to make a purchase, so the card is a bit less clonable. (The magstripe doesn’t go near a reader during the transaction because ,in most PoS devices, just the chip part of the card is inserted and the rest of the card sticks out the end of the device.)

Ironically, having lived only in Chip and PIN countries over the past few years, every ATM I’ve used has required me to put the card into a slot where it is sucked in fully and then processed. Even if the ATM ends up reading the chip and not the stripe (I don’t know what happens inside the ATM mechanism), the ATM card reader itself is an ideal location for a skimmer.

The other huge difference between “why the concern over ATM security” considering that credit card security is similar or even weaker is “who pays.” Most ATMs contain cash that belongs to the bank, so if there’s a disputed transaction and you end up getting your money back, the bank carries the cost. In the case of a disputed credit card transaction, the bank doesn’t lose out, because the merchant wears the cost.

1. My phone broke/got lost/was stolen while on vacation, I can’t call home, can’t get cash for a cab even.
2. One of those thousand of hacked apps on iTunes/GooglePlay took over my banking info and drained my account.
3. like you said, they stole my phone while banking and now all is lost….
I like to carry cash, at least that’s all they will get, and CC fraud is MUCH more common than muggings. If you get mugged and they take your cards, you can most likely cancel them before real damage is done, since you know it….
I can hear the opposing – “but I want my miles/reward for purchasing” as if that makes up for the CC fees lol.